CVE-2010-3962 is a use-after-free / uninitialized memory corruption vulnerability in Microsoft Internet Explorer (IE) that was disclosed in November 2010. The vulnerability allows a specially crafted web page to trigger improper handling of an object (via CSS token sequences and the clip attribute), leading to memory corruption and potential remote code execution in the context of the user viewing the page.

Affected:

Internet Explorer 6,7, and 8 (on affected Windows platforms at the time.

Attackers can take advantage of this exploit or attack vector by

• Remote, client-side attack: An attacker hosts or injects a specially crafted web page where victims using a vulnerable IE (Internet Explorer) version loads the page, the exploit triggers the use-after-free condition and achieves memory corruption that can be chained to execute arbitrary code. An attacker could also weaponize this inside HTML email/Word documents in some attack chains.
• Exploit in the Wild: this vulnerability was actively exploited in November 2010 and remained a common target for obfuscated web exploit kits and targeted client-side attacks.

CERTVU recommend:

1. Patch immediately – apply Microsoft’s security update referenced in MS10-090